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- The MAILING DA TE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S. C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

I) S Responsive to communication(s) filed on 16 January 2004 . 
2a)D This action is FINAL. 2b)E3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) £3 Claim(s) 1-26 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-26 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)S The drawing(s) filed on 16 January 2004 is/are: a)S accepted or b)D objected to by the Examiner. 
Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

I I) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
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1 .□ Certified copies of the priority documents have been received. 
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3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



1. 



Claims 1-26 are pending. 



Claim Rejections - 35 USC § 103 



2. 



The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 



obviousness rejections set forth in this Office action: 



(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

3. Claims 1-26 are rejected under 35 U.S.C. 103(a) as being unpatentable over Soles et al., 
US patent 6782421 and Todd Sr et al., US patent 6185689. 

In reference to claim 1 : 

Soles et al. discloses the method for providing automated tracking of security vulnerabilities, 
comprising: 

• Performing a vulnerability assessment on a system, where the vulnerability assessment is 
the evaluation of the system capabilities(Column 2, lines 37-45), and where this 
evaluation assesses the vulnerabilities in the system (Column 2, lines 64-67) & (Column 
4, lines 10-27) & (Column 8, lines 55-62) 
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• Storing data obtained from the vulnerability assessment in a vulnerabilities database, 
where the data drawn from the evaluation is stored in a database as an a metrics history. 
(Column 4, lines 47-64) 

• Determining a vulnerability score based on a plurality of vulnerability factors identified 
by the vulnerability assessment, where the vulnerabilities are determined as a service 
level system(Column 5, lines 50-67), and where the service levels are graded. (Column 
6, lines 5-65) et seq. 

et al. fails to explicitly disclose: 
Determining a time to fix a vulnerability identified by the vulnerability assessment of the 
system based on the determined vulnerability score. 

Todd Sr. et al. discloses a method of assessing a particular host for security vulnerabilities in 
which he teaches: 

• Determining a time to fix a vulnerability identified by the vulnerability assessment of the 
system based on the determined vulnerability score. (Column 7, lines 1-7 et seq.) 

Todd Sr. et al teaches that his method of providing a security assessment for a particular host 
provides the advantage of allowing the detection of vulnerability to denial of service attacks 
(Column 3, lines 63 - Column 4, lines 5) 



Soles 
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It would have been obvious to one of ordinary skill in the art to use the additional security 
assessment of Todd Sr et al. for scanning a host because it would allow the ascertaining of the 
vulnerability level of the host to denial of service attacks. 

In reference to claim 2: 

Soles et al. discloses the method of claim 1, wherein determining the vulnerability factor further 
comprises considering the frequency the identified vulnerability occurs in the system, where the 
frequency of the identified vulnerability may gauged in monthly or other cycles. (Column 9, 
lines 35-45) & (Figure 16) & (Column 7, lines 8-50) 

In reference to claim 3: 

Soles et al. discloses the method of claim 2, wherein determining the vulnerability factor further 
comprises the criticality of an element in the system presenting the vulnerability and a rating of 
the severity of the vulnerability, where the criticality of an element in the system is the business 
risk associated with the vulnerability and how much of a threat it has to impacting users. 
(Figures 17-20) & (figure 23) & (Column 9, lines 45 - Column 10, line 17) 

In reference to claim 4: 

Todd Sr. et al. discloses the method of claim 1 further comprising determining an IP address 
associated with the vulnerability. (Column 5, lines 65-Column 6, lines 5) & (Column 4, line 55- 
65) & (Column 8, line 5-20) 
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In reference to claim 5: 

Todd Sr. et al. discloses the method of claim 4 further comprising entering the IP address and a 
description of the identified vulnerability in a tracking database. (Column 7, line 55 - Column 8, 
line 66) & (Column 7, lines 18-25) & (Column 5, lines 5-20) 

In reference to claim 6: 

Soles et al. discloses the method of claim 1 further comprising determining delinquent 
vulnerabilities based upon the determined time to fix the vulnerability identified by the 
vulnerability assessment, where if the vulnerability is not fixed within a month, the service grade 
will drop. (Column 7, lines 1-7) 

In reference to claim 7: 

Soles et al. discloses the method of claim 6 further comprising providing notification of 
determined delinquencies. (Column 7, lines 1-7) 

In reference to claim 8: 

Todd Sr. et al. discloses the method of claim 6 further comprising re-running a scan profile when 
notification is received that the vulnerability has been fixed. (Column 7, lines 45-56) 

In reference to claim 9: 

Todd Sr. et al. discloses the method of claim 8 further comprising determining whether the 
vulnerability still exists and archiving records associated with the vulnerability when the 
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vulnerability does not exist, where the determination if the vulnerability still exists would be 
made by rescanning the system, and results would be archived to a in hypertext report. (Column 
7, lines 45-56) 

» » 

In reference to claim 10: 

Soles et al. discloses a method for determining a criticality factor for a vulnerability in a 
computer system, comprising: 

• Entering in a database vulnerabilities identified during a vulnerability assessment, where 
the data drawn from the evaluation is stored in a database as an a metrics history. 
(Column 4, lines 47-64) 

• Monitoring a frequency of occurrence for the identified vulnerabilities. (Column 9, lines 
35-45) & (Figure 16) 

• Assigning a vulnerability factor to a vulnerability based upon the frequency of occurrence 
of the vulnerability in the system. . (Figures 17-20) & (figure 23) & (Column 9, lines 45 
-Column 10, line 17) 

In reference to claim 11: 

Soles et al. discloses the method of claim 10, wherein the assigning a vulnerability factor further 
comprises considering a criticality of an element in the system presenting the vulnerability and a 
rating of the severity of the vulnerability within the system, where the criticality of an element in 
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the system is the business risk associated with the vulnerability and how much of a threat it has 
to impacting users. (Figures 17-20) & (figure 23) & (Column 9, lines 45 - Column 10, line 17) 



Claim 12 is rejected for the same reasons as claim 1. 
Claim 13 is rejected for the same reasons as claim 2. 
Claim 14 is rejected for the same reasons as claim 3. 
Claim 15 is rejected for the same reasons as claim 4. 
Claim 16 is rejected for the same reasons as claim 5. 
Claim 17 is rejected for the same reasons as claim 6. 
Claim 18 is rejected for the same reasons as claim 7. 
Claim 19 is rejected for the same reasons as claim 8. 
Claim 20 is rejected for the same reasons as claim 9. 
Claim 21 is rejected for the same reasons as claim 10. 
Claim 22 is rejected for the same reasons as claim 1 1 . 
Claim 23 is rejected for the same reasons as claim 1. 
Claim 24 is rejected for the same reasons as claim 10. 
Claim 25 is rejected for the same reasons as claim 1 . 
Claim 26 is rejected for the same reasons as claim 10. 

Conclusion 

4. The following art not relied upon is made of record: 
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• US patent 6324656 discloses a multiphase vulnerability assessment 

• US patent 6205552 discloses a method of scanning networked devices for vulnerabilities. 

5. Any inquiry concerning this communication from the examiner should be directed to 
Thomas M Ho whose telephone number is (571)272-3835. The examiner can normally be 
reached on M-F from 9:30 AM - 6:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Gilberto Barron can be reached on (571)272-3799. 

The Examiner may also be reached through email through Thomas.Ho6@uspto.gov 



Any inquiry of a general nature or relating to the status of this application or proceeding should 
be directed to the receptionist whose telephone number is (571)272-2100. 
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